PASSPORT SECURITY BREACH FIXED BUT ... WHAT THE HECK
A Pakistani researcher found a strange and simple security hole in Microsoft's Passport system that could have revealed credit card numbers and other person information for every user on the system. The flaw, which the company immediately fixed, was triggered by a simple URL that the company sent to users who wanted to reset their passwords. The URL contained the user's email address, and by changing that part of the URL to another user's address, an attacker could change the passwords for other Passport accounts and therefore gain access to those accounts. Given Microsoft's recent conversion to the Trustworthy Computing initiative, the revelation of such a simple-minded flaw in Passport is somewhat troubling, to say the least.
A Pakistani researcher found a strange and simple security hole in Microsoft's Passport system that could have revealed credit card numbers and other person information for every user on the system. The flaw, which the company immediately fixed, was triggered by a simple URL that the company sent to users who wanted to reset their passwords. The URL contained the user's email address, and by changing that part of the URL to another user's address, an attacker could change the passwords for other Passport accounts and therefore gain access to those accounts. Given Microsoft's recent conversion to the Trustworthy Computing initiative, the revelation of such a simple-minded flaw in Passport is somewhat troubling, to say the least.
